diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2005-06-29 21:43:42 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2005-06-29 21:43:42 +0000 |
commit | b8833141ed790bed2f5afa0e92a90c84172f325d (patch) | |
tree | 48ef6828b9b5bdc6ca484ec767131ec8b5e89e03 /sys/netinet | |
parent | 5a46cc72f48bca2da4c3867dbe8ea5ee6ac35ef2 (diff) | |
download | src-b8833141ed790bed2f5afa0e92a90c84172f325d.tar.gz src-b8833141ed790bed2f5afa0e92a90c84172f325d.zip |
Correct bzip2 denial of service and permission race vulnerabilities.
Obtained from: Redhat, Steve Grubb via RedHat
Security: CAN-2005-0953, CAN-2005-1260
Security: FreeBSD-SA-05:14.bzip2
Approved by: obrien
Correct TCP connection stall denial-of-service vulnerabilities.
MFC: rev 1.270 of tcp_input.c, rev 1.25 of tcp_seq.h by ps: When a TCP
packets containing a timestamp is received, inadequate checking of
sequence numbers is performed, allowing an attacker to artificially
increase the internal "recent" timestamp for a connection.
A TCP packets with the SYN flag set is accepted for established
connections, allowing an attacker to overwrite certain TCP options.
Security: CAN-2005-0356, CAN-2005-2068
Security: FreeBSD-SA-05:15.tcp
Approved by: cperciva
Notes
Notes:
svn path=/stable/4/; revision=147669
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/tcp_input.c | 28 | ||||
-rw-r--r-- | sys/netinet/tcp_seq.h | 1 |
2 files changed, 25 insertions, 4 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 8a8e90a30901..2882a243af1a 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -922,7 +922,7 @@ after_listen: * XXX this is tradtitional behavior, may need to be cleaned up. */ tcp_dooptions(&to, optp, optlen, thflags & TH_SYN); - if (thflags & TH_SYN) { + if (tp->t_state == TCPS_SYN_SENT && (thflags & TH_SYN)) { if (to.to_flags & TOF_SCALE) { tp->t_flags |= TF_RCVD_SCALE; tp->requested_s_scale = to.to_requested_s_scale; @@ -1587,11 +1587,25 @@ trimthenstep6: /* * If last ACK falls within this segment's sequence numbers, * record its timestamp. - * NOTE that the test is modified according to the latest - * proposal of the tcplw@cray.com list (Braden 1993/04/26). + * NOTE: + * 1) That the test incorporates suggestions from the latest + * proposal of the tcplw@cray.com list (Braden 1993/04/26). + * 2) That updating only on newer timestamps interferes with + * our earlier PAWS tests, so this check should be solely + * predicated on the sequence space of this segment. + * 3) That we modify the segment boundary check to be + * Last.ACK.Sent <= SEG.SEQ + SEG.Len + * instead of RFC1323's + * Last.ACK.Sent < SEG.SEQ + SEG.Len, + * This modified check allows us to overcome RFC1323's + * limitations as described in Stevens TCP/IP Illustrated + * Vol. 2 p.869. In such cases, we can still calculate the + * RTT correctly when RCV.NXT == Last.ACK.Sent. */ if ((to.to_flags & TOF_TS) != 0 && - SEQ_LEQ(th->th_seq, tp->last_ack_sent)) { + SEQ_LEQ(th->th_seq, tp->last_ack_sent) && + SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen + + ((thflags & (TH_SYN|TH_FIN)) != 0))) { tp->ts_recent_age = ticks; tp->ts_recent = to.to_tsval; } @@ -2360,6 +2374,12 @@ tcp_dooptions(to, cp, cnt, is_syn) bcopy((char *)cp + 6, (char *)&to->to_tsecr, sizeof(to->to_tsecr)); to->to_tsecr = ntohl(to->to_tsecr); + /* + * If echoed timestamp is later than the current time, + * fall back to non RFC1323 RTT calculation. + */ + if ((to->to_tsecr != 0) && TSTMP_GT(to->to_tsecr, ticks)) + to->to_tsecr = 0; break; case TCPOPT_CC: if (optlen != TCPOLEN_CC) diff --git a/sys/netinet/tcp_seq.h b/sys/netinet/tcp_seq.h index 90dd97d92af2..bc989b7faa9a 100644 --- a/sys/netinet/tcp_seq.h +++ b/sys/netinet/tcp_seq.h @@ -48,6 +48,7 @@ /* for modulo comparisons of timestamps */ #define TSTMP_LT(a,b) ((int)((a)-(b)) < 0) +#define TSTMP_GT(a,b) ((int)((a)-(b)) > 0) #define TSTMP_GEQ(a,b) ((int)((a)-(b)) >= 0) /* |